Virus:TR/Dldr.Agent.dne
Date discovered:21/09/2007
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:7.168 Bytes
MD5 checksum:119907ad8248b2e06461d782ea93c00B
IVDF version:6.39.01.161 - Friday, September 21, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  F-Secure: Trojan-Downloader.Win32.Agent.dne
   •  Sophos: Troj/DwnLdr-GXX
   •  Grisoft: Downloader.Agent.STQ


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Registry modification
   • Third party control

 Registry It registers a browser helper object (BHO) by adding the following keys:

– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}]
   • @ = H

– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\InprocServer32]
   • @ = %malware dll%
   • ThreadingModel = Apartment

– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\ProgID]
   • @ = H.1

– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\TypeLib]
   • @ = {71FC19DC-CEEC-45dc-B303-A85633166864}"

 Backdoor Contact server:
All of the following:
   • http://**********oso.com/newuser.php
   • http://**********oso.com/comm.php

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.
The servers answer is written to the file: %SYSDIR%\comm.xml


Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file
    • Execute file

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Monday, September 24, 2007
Description updated by Andrei Gherman on Monday, September 24, 2007

Back . . . .